More Information

Computer security problem
University says all affected will be notified by mail.
Western officials set up a searchable database at
www.wcsu.edu/securityincident.
Frequently asked questions in English, Spanish and Portuguese are available at that site, along with other information.
Western and AllClear ID have set up a hot line at 855-731-6012, staffed from 9 a.m. to 9 p.m., Monday through Saturday.

Page 1 of 1

DANBURY -- Western Connecticut State University is notifying about 235,000 people that their computer records could have been accessed because of a security vulnerability that existed for 3 1/2 years until September.

University officials said they were confident that no one accessed the records, which represented information the university collected over a 13-year period.

"We're confident no individual information was stolen," Western President James Schmotter said Thursday morning. "This was not an open door. You had to have knowledge of hacking and evil intent."

At Western, the personal data that was exposed from April 2009 to September 2012 included Social Security numbers of students, their families and some others associated with the university, and of some high school students whose SAT scores were purchased.

The university said it will pay for two years of identity-theft protection for those who want it, at a cost likely to reach upward of $1 million.

The vulnerability was discovered during routine maintenance in February, but it was not reported to Schmotter until Sept. 26 when, he said, he activated the Board of Regents' security incident response plan and fixed the problem.

"Mistakes and errors in judgment were made, and we are making people accountable," Schmotter said.

Thomas deChiaro has been named interim chief information officer for the 27-person computing department. He begins work Monday, Paul Steinmetz, Western spokesman and vice president of institutional development at the university, said. The former IT chief information officer left this week, he said.

Explaining the delay in alerting Western officials to the problem, Steinmetz said, "people in university computing" realized the problem in April "but they didn't tell the president or anyone on the Board of Regents." They wanted "to fix it" themselves.

"As we all come to rely more upon computers, the Internet and other Internet-based applications, we also need to ensure that we're utilizing the proper safety and security procedures to protect personal information," Flanagan said.

"To that end, the Board of Regents has already begun a thorough review of IT policy systemwide, and in June the board passed a resolution reiterating the importance of protecting personal information and outlining campus' responsibility under the law," she said.

The office of state Attorney General George Jepsen was notified in October about the discovery of the vulnerability.

"Our attorneys have been in discussions with university officials about how to correct the problem," said Susan Kinsman, a spokesman for the attorney general's office. "The priority was to promptly close any holes and secure the university systems. Our attorneys also wanted to make sure that identify-theft protection was provided to those whose personal information may have been at risk."

Steinmetz said the problem that caused the vulnerability is described as a "misconfiguration."

A computer network is made up of several components that need to stack on top of each other in perfect alignment, Steinmetz said, and if one is out of alignment it causes a vulnerability that someone with hacking ability could exploit.

Along with repairing the vulnerability, Steinmetz said, the university has increased its information-protection capacity and is purging information it no longer needs.

Connecticut has two laws that address computer security issues.

One requires a business to disclose a security breach involving personal information to affected consumers without unreasonable delay.

The second addresses intentional failure to safeguard personal information, but notes it is not a violation if the disclosure was unintentional.

"State law allows us to fix the problem before we announce it, and we worked with the attorney general on that timeline," Steinmetz said.

In August 2010, UConn notified more than 10,000 applicants and students at its West Hartford campus that records collected from 2004 to 2012 had been exposed because of the theft of a laptop.

At Central Connecticut State University in February, 18,000 Social Security numbers were found to have been vulnerable for about eight days, but officials were not sure whether they had been accessed.

In April, Housatonic Valley Community College found two of its computers infected with a virus that could have exposed 87,000 confidential records of students and faculty.